I have two panels in a dashboard and I would like that the number of counts adjust to the drop-down menu.
The two panels are:
event count
success 8
error 7
N/I 10
.... .....
Type error count
00001 7
00002 12
........ .......
In all logs, there is a field named: CLIENT_ID (only 4 kinds of that client). Is there a way to include a drop-down menu with the 4 kinds of clients, and depending which one I choose, filter counts of both panels? I read something related to the token in the drop-down menu and also putting $$ in the XML code. How can I do this? Should the search of both panels need to have the client id somewhere? I don't want client id in panels, just the 2 columns I have now.
Here's what you need
Drop-down with client list generated dynamically. You can achieve this somewhat like this
<input type="dropdown" token="tokClient" searchWhenChanged="true">
<label>Select client</label>
<search>
<query>index=* | stats count by client_id</query>
<earliest>@d</earliest>
<latest>now</latest>
</search>
<fieldForLabel>client_id</fieldForLabel>
<fieldForValue>client_id</fieldForValue>
</input>
OR
You can hard-code the list of client_id in your drop-down, like this
<input type="dropdown" token="tokCLient" searchWhenChanged="true">
<label>Select client</label>
<choice value="One">One</choice>
<choice value="Two">Two</choice>
<choice value="Three">Three</choice>
</input>
Create your dashboard panels using the tokClient in your search. Like this
<table>
<search>
<query>index=* client_id=$tokClient$ | table _time client_id</query>
</search>
http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Buildandeditforms
Ok, but how am I supposed to add:
index=* client_id=$tokClient$ | table _time client_id
to both searches of the 2 panels? They don't have any client ID. Here are the 2 searches of both panels.
PANEL 1
index="index1" | stats count by name
PANEL 2
index="index1" ERRORS | stats count by errorCode |sort -num(count)|
Thought you said "In all logs, there is a field named: CLIENT_ID "?